Comment on "Arbitrated quantum-signature scheme" 
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We investigate the quantum signature scheme proposed by Zeng and Keitel [Phys. Rev. A 65, 
042312 (2002)]. It uses Greenberger-Horne-Zeilinger (GHZ) states and the availability of a trusted 
arbitrator. However, in our opinion the protocol is not clearly operationally defined and several 
steps are ambiguous. Moreover, we argue that the security statements claimed by the authors are 
incorrect. 

PACS numbers: 



Digital signature schemes provide message authentica- 
tion which enables third parties to settle disputes about 
the authenticity of messages. In Ref. [l| Zeng and Kei- 
tel proposed a quantum signature scheme that requires 
the availability of a trusted arbitrator as part of the sig- 
nature initialization and verification algorithms. In our 
opinion, the protocol is not well operationally defined, its 
presentation is misleading, and several steps are ambigu- 
ous. Moreover, we believe that the security statements 
claimed by the authors are incorrect. We first list the 
main points of our criticism and then provide more de- 
tails. 

The scheme proposed in Ref. Q has as its goal to sign 
a quantum state \P). From the paper, however, it is not 
clear whether the sender (Alice), the receiver (Bob), or 
the arbitrator, need to know the identity of the quantum 
state \P) to be signed, or whether they have access to 
a restricted number of copies of an unknown state \P). 
One of the main motivations for the work presented in 
Ref. [l] is that "classical signature schemes are difficult 
to assign to messages in qubit format" . Then, one might 
be tempted to assume that none of the parties involved 
in the communication has a classical description of the 
state |P). However, it is well known that signing un- 
known quantum messages is not possible 0. One can 
then consider that all the parties know the state \P). 
This assumption renders the quantum signature scheme 
proposed in Ref. [l| to one intended to sign classical data 
using quantum resources. However, in this scenario it is 
unclear what are the real advantages of this protocol, if 
any, with respect to unconditionally secure classical sig- 
nature schemes (see, e.g., Ref. [3| and references therein). 
Finally, one can assume the natural scenario where Bob 
(or even the arbitrator) do not know the state \P). How- 
ever, as we will show below, the signature scheme pro- 
posed in Ref. [l| is insecure in this last case [1]. 

In several crucial points of the protocol a step of state 
comparison is required . Especially, if Bob does not know 
the state \P) to be signed, he would have to compare two 
unknown states. The authors of Ref. [l| did not clarify 
in their manuscript how to perform these quantum state 



comparison steps, and they treat them as determinis- 
tic and error-free processes. However, it is evident from 
the no-cloning theorem [5| to be impossible to do uni- 
versal quantum state comparison in a deterministic way 
and without disturbing the original states. For a quan- 
titative analysis of this scenario see Ref. [1], where the 
optimal comparison test and its success probability have 
been recently obtained. 

Let us now discuss our criticism in more detail. We 
start with a brief description of the protocol. The scheme 
includes three phases [1|]: an initial phase, a signing 
phase, and a verification phase. In the first one, Alice, 
Bob, and the arbitrator distribute two secret keys, Ka 
(Alice- arbitrator) and Kj, (Bob-arbitrator). These two 
secret keys might consist of quantum states or of classi- 
cal data. Next, they create and distribute GHZ states. 
The distribution of GHZ states has to be repeated for ev- 
ery single communication: the "algorithm relies crucially 
on the entanglement of the three involved communica- 
tors" . In this Comment we will consider that this initial 
phase can be completed in a safe manner, although the 
authors of Ref. [1] do not present any specific protocol to 
verify the correct execution of entanglement distribution. 

The signing phase can be used to sign pure n-qubit 
messages of the form \P) = 0"^i(ai|O) + The 
signature of |P), denoted as \S), is defined as a quantum 
encryption of some classical data Ma and a quantum 
state \R). In order to encrypt this information Ref. [l| 
proposes to use the "approach known as 'quantum state 
operation"' . It remains unclear what the authors mean 
with "quantum state operation" , but a quantum one- 
time-pad scheme might be used for this purpose 7} . More 
important, in this step it is not clearly defined how the 
crucial quantum state \R) is generated by Alice. First, it 
seems that Alice uses Ka to select a set of "measurement 
operators" Mk^- If denotes a quantum state \Ka), 
then Mk^ must contain \Ka) as an eigenvector. Note, 
however, that in this scenario it remains unclear how Al- 
ice can obtain Aixa from \Ka) if she does not have a 
classical description of the quantum state \Ka)- If Ka 
is a classical key then Mk^ can represent any measure- 
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ment operator within a given set indexed by Ka- Next, 
the sentence "Ahce is required to measure the informa- 
tion string of qubits |P) using ^-nd obtains 
seems to indicate that \R) arises from a measurement 
on |P), i.e., Mk^ is an observable. Note, however, that 
in this case the protocol can only work probabilistically. 
After receiving an advance copy of this manuscript, the 
authors of Ref. [IJ eniphasized that Mk^ denotes a uni- 
tary transformation Therefore, from now on we will 
consider that \R) = MxalP) with Mk^ unitary. 

The verification algorithm requires the arbitrator to 
obtain a parameter 7 arising from a forgery test. In order 
to do that, he needs to generate two quantum states, 
\R) and \R'), that need to be compared (Step 2 in the 
verification phase). If \R) and \R') are different, then 
7 = and \P) has to be rejected. Otherwise 7 = 1 and 
Bob needs to perform a second verification test. Here, 
again, it is not clearly stated how does the arbitrator 
obtain these two states \R) and \R') from A4i,, \S), and 
\P) sent by Bob. More important, as pointed out above, 
the authors of Ref. [l| do not explain how the quantum 
state comparison test between \R) and \R') is performed. 

Once the first forgery test introduced above concludes, 
the arbitrator needs to obtain a parameter Mf The pro- 
cedure to generate A^t is a bit misleading . Ref. [l| claims 
that "the arbitrator measures or evaluates the states of 
the particles in his string of GHZ states". Again, here 
it is not clear the meaning of "evaluates". Once A4t is 
obtained, whatever the process involved, the arbitrator 
prepares a quantum state ytb containing part of the in- 
formation obtained in the previous steps of the protocol 
and he sends it to Bob. 

Depending on the contents of ytb, Bob needs to decide 
whether the message originates from Alice or not. This 
constitutes the last step of the verification phase. Now 
Bob has to compare the quantum state \P) with a state 
\P'). "If \P') — |P), the signature is completely correct 
and Bob accepts \P), otherwise, he rejects it". Again, at 
this crucial point we find the problem of how to obtain 
the quantum states \P) and from ytb, and how to 
realize the quantum state comparison test. 

Next, we show that the protocol presented in Ref. [1] 
cannot lead to a secure signature scheme if Bob and the 
arbitrator do not know the state \P). To simplify our 
notation, we shall mainly consider one-qubit messages. 
I.e., \P)=a\0)+m- 

To obtain the parameter Ma, Alice performs a Bell 
measurement on a copy of the state \P) and her particle 
of the GHZ state. Let us assume, for instance, that Aia 
corresponds to the state |5'i2)a (see Eq. (8) in Ref. 
which will always occur with probability 1/4, and that 
\R) has been obtained as \R) — MkJP), with Mk^ 
denoting a unitary transformation. The correlations of 
the GHZ state impose, in this case, that the state shared 
by Bob and the arbitrator is \(p) — a\00) — /3|11). 

The verification phase begins once Bob receives \P) 
and \S) from Alice. Here Bob measures his particle of \lp) 
in the x direction. The result is recorded in the parameter 



Aib- The state \ip) = a|00) — can be written as 

1^) = 1/V2{\ + x)az\P) + I - x)\P)), where \ ± x) = 
l/\/2(|0) ± |1)), and az is the Pauh matrix {az\0) = 
|0) and <Jz\i) = — Both possible results, {| ± x)}, 
have equal a priori probability 1/2. Let us consider, for 
instance, that Mb = I +x). The state of the arbitrator's 
particle is then reduced to az\P). 

Next, Bob sends yb = Kb{Mb, \ S),\P)) to the arbitra- 
tor. With this information the arbitrator performs his 
forgery test. Now, in order to obtain \R) and \R'), we 
consider two possible alternatives. On the one hand, to 
evaluate if the message received by Bob is authentic, it 
seems that \R) and \R') should depend on \P) and \S). 
That is, \R) originates from \P) as \R) = MxalP), and 
\R') from 15*) (or vice versa). On the other hand, the au- 
thors of Ref. [l|) assert that the decryption of \S) "gives 
rise to \R') via the correlations of the GHZ state". One 
might then also think that \R') (or \R)) arises from the 
GHZ particle of the arbitrator, and \R) (or \R')) from 
\S) or \P). Note that by using the correlations Ma (con- 
tained in \S)), and Mb the arbitrator can find that his 
particle is in the state (Tz\P)- Then he could recover \P) 
applying az (c^ ^ More important, once the arbitra- 
tor obtains \R) and \R'), whatever the process involved, 
he needs to compare these two unknown quantum states 
to decide whether they are equal or not. Unfortunately, 
it is known that it is impossible to conclusively identify 
two pure unknown states as being identical [6|. Never- 
theless, one can perform a measurement that examines 
whether the systems are not the same Let q denote 
the average success probability of identifying two pure 
unknown states as different. With this comparison pro- 
cedure no valid messages will produce 7 = 0, but we find 
that a forged message will be accepted with probability 
1 — q. For one-qubit messages we have that q = 1/4 
Q. Here we consider that \R) and \R') are selected at 
random within the set of all pure states. For n-qubit 
messages the value of q depends on Mk^- Ref. [l| seems 
to consider Mk^ ~ -^k' ' ^i^^ -^k^ unitary for 

all i. \P)\S) ~ (S'^Li bi)l'Si)7 Now a potential adversary 
could follow, for instance, an strategy that do not mod- 
ify all the n qubits contained in \P), but only a small 
fraction m of them. This is sufficient to achieve a dra- 
matic decrease of the quantum fidelity ^ of the result- 
ing quantum state with respect to the original message 
\P). In the worse-case-scenario (m = 1) the arbitrator 
will accept a forged message with probability 3/4. One 
can improve the ability of detecting forged messages by 
using a general unitary transformation Mk^- Unfortu- 
nately, even for this scenario the value of q is relative 
low: q = 1/2 (1 — 2^") [6]. As a consequence, we find 
that a possible attacker (which includes as well a poten- 
tial dishonest Bob) could modify Alice's messages such 
that the acceptance parameter 7 satisfies 7 = 1 with non 
negligible probability. Moreover, note that so far we al- 
ways assumed that \R) and \R') are pure states. A better 
security analysis against an adversary that sends mixed 
states, would also be necessary here. 
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From now on, we shall presume that Bob is honest 
and we evaluate his forgery test. For simplicity, we will 
consider that the comparison process described above can 
be accomplished without disturbing the original states. 

After calculating 7, the arbitrator needs to obtain the 
parameter Ait- "Note that Ait may be | + a;) or | — x)". 
It seems, therefore, that to obtain AAt € {I i 2;)} the 
authors of Ref. [l| require that the arbitrator measures 
his particle of the GHZ state in the x direction. Further- 
more, in Ref. [l| it is specifically mentioned that "the 
arbitrator may choose an appropriate sequence of mea- 
surement operators to measure his GHZ particle" . Once 
this measurement is performed, the arbitrator sends Bob 
the state ytb = Kb{Ma,Mb,Mt,j, \S)). 

Bob does not know Alice's secret key Ka- This means 
that from ytb he cannot obtain the message \P) anymore. 
Note that \P) cannot be calculated from Aia, Aib, and 
Mt alone: the parameters Ada and A4b are completely 
independent of \P), whereas Ait — | ± a;) only means 
that \P) is not orthogonal to | =F a^) (assuming that the 
arbitrator's particle was az\P))- To avoid this problem 
in the protocol, let us assume for the moment that ytb also 
includes the message | P) , or that Bob can have access to 
a copy of the state |P) somehow. 

Now the last step of the verification phase takes place. 
Here Bob has to compare \P) with a state |P'). "If 
\P') — |P), the signature is completely correct and Bob 
accepts \P), otherwise, he rejects it". In order to obtain 
|P') Bob must use the parameters Aia, Aib and Ait- 
Note that "|P') is obtained from a calculation and not 
a physical measurement, because Bob's particle has al- 
ready been measured in the first step of the verification 
phase". But, as pointed out above, from Aia^ A^b, and 
Ait, Bob might obtain a |P') different from |P) even for 
valid messages. Note that the result of a measurement 
[Mt) on a quantum state {az\P)) does not completely 
identify the original state. In fact, one may even as- 
sume that the arbitrator does not measure his particle 
of the GHZ state. Instead, he sends it to Bob in place 
of the parameter Ait- Unfortunately, we end up again 
with the problem of comparing two unknown quantum 
states. This comparison test can produce the acceptance 
of forged messages with non negligible probability. 

So far we have shown that the quantum signature 
scheme proposed in Ref. [l[ is unable to guarantee se- 
curity against a dishonest Bob or a possible attacker in 



the natural scenario where |P) is only known to the signer 
Alice. Moreover, we have shown that, even in the absence 
of dishonest parties, this scheme, as originally proposed, 
does not allow Bob to recover the message |P) sent by 
Alice. After having access to this manuscript, Zeng and 
Keitel acknowledged that in their work they need to ^^rea- 
sonably assume that Alice, Bob, and the arbitrator know 
the message |P)" beforehand [8,]. Unfortunately, this cru- 
cial point for their scheme is not mentioned at all in their 
original manuscript, and it constitutes a severe limitation 
for the possible applicability of this protocol in a practical 
communication scenario. With this strong assumption, 
now one could modify the protocol in Ref. [l| and sub- 
stitute the parameter Ait by the original GHZ particle 
of the arbitrator such that Bob can obtain |P') (from 
his knowledge of Aia and Aib) and compare it with the 
known |P). Moreover, in the signing phase Alice would 
not need to send Bob the quantum state |P) anymore, 
but only its signature \S)- However, it seems to us that 
this scheme would be rather inefficient and expensive in 
terms of the quantum resources needed to perform this 
particular task. In the literature there are already un- 
conditionally secure classical signature schemes to sign 
classical information, with or without arbitrator, that 
moreover consider the natural scenario where the mes- 
sage to be signed does not need to be publicly known 
beforehand [Sj. In fact, if we assume the availability of 
a trusted arbitrator, Alice and Bob could as well use 
classical message authentication codes [l^] to sign their 
messages Therefore, we believe that in this case it 
would be necessary that the authors of Ref. [l| clarify 
the relevance of their scheme in a practical communica- 
tion scenario together with its real advantages, if any, 
with respect to unconditionally secure classical signature 
protocols. 
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